Users of networked computer systems desire to transfer data reliably and efficiently to and from other networked computer systems. The Transfer Control Protocol/Internet Protocol (TCP/IP) provides the ability to send and receive data to and from various TCP/IP networked computer systems. File transfer protocol (FTP) is one example of a service that runs on a TCP/IP networked computer system. FTP enables large amounts of data to be transferred from a client side to a server side, or vice versa.
Services such as FTP typically initiate communication on a reserved communication port on the server. The reserved communication port is sometimes referred to as a “well-known port.” For example, a user of a client machine may request a connection to an FTP server on the well-known port to transmit/receive data to/from the FTP server. The FTP server may respond by establishing a unique connection between the client and the FTP server. A unique connection is determined by an IP address of the client, an IP address of the server, and the port on the server being accessed.
Firewalls are used to secure their hosts by screening data transfers between their hosts and their user community. Conventional firewalls are typically programmed to restrict inbound traffic for a particular set of users and/or a particular set of hosts and/or ports. Firewalls decide to pass data based on the type of protocol used for the data transfer, the destination IP address, and/or source IP address.
Most firewalls are programmed to pass data on any connection to a well-known port on a server. For example, if a server has a well-known port for an FTP service, a firewall typically passes or otherwise permits data transfers to and from the well-known FTP port. Some services use a single connection to transfer all the data to/from the server. For large transfers of data occurring on a single connection, throughput is limited to that of a single connection.
“Latency” refers to the amount of time it takes a block of data to get from one designated point to another, in a network. Conventional systems have attempted to address a problem of slow data transfer in high latency firewalled networks by establishing multiple connections between the client and the server. Some conventional systems establish these multiple connections by allocating ports on a server dynamically. This process typically involves establishing multiple connections between the client and the server, in real time, by assigning each communication channel a new server port. A firewall in the network typically permits the connections to be established provided the firewall is aware of the protocol being used. For example, the firewall may inspect the protocol information associated with a data transfer in order to determine what new ports should be allocated. Thus, the firewall must be able to recognize the protocol information in order to assign the communication channel a port on the server.
Using dynamic port allocation, the firewall opens a corresponding communication port in the firewall not otherwise left open for each of the unique connections established between the client and the server. For example, a client may request a large transfer of data from a server, and the client and the server may negotiate to execute the transfer on three parallel connections between the client and the server. As a result, the firewall would open three corresponding communication ports in the firewall for passing the data channeled on each connection and close them once the transfer is complete.
Dynamic port allocation is problematic because it leaves the firewall exposed to security risks at three corresponding communication ports. Because the firewall decides to open three corresponding ports to pass data, the part of the network being protected by the firewall is more vulnerable than when the data transfer is being executed on a single connection.
Because some firewalls use dynamic port allocation to regulate data traffic, the manufacturers of firewalls-need to be “aware” of the protocols being used to transfer data through the firewall. More specifically, conventional firewalls must be able to recognize and understand protocol information as it passes through the firewall in order to determine what new ports should be allocated. This results in compatibility problems with installed, or otherwise existing, firewalls when new protocols are created.
These and other drawbacks exist.